Summary As proposed in the Cloud and AI Development Act (CADA), the EU Open Source Solutions Catalogue (EU OSS Catalogue) is a centralized hub designed to federate specifically with public-sector repositories. Under Article 43(3), the Commission decides on connection requests from "Union entities or public sector bodies." The Act does not mandate that private-sector catalogues federate with this central hub. However, the legislative context in Recital 83 envisions the catalogue enabling federation with existing catalogues for both sectors, and the Interoperable Europe Portal serves as the technical host and broader ecosystem hub where private actors may voluntarily align to enhance discoverability and procurement opportunities.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a structured framework to combat the fragmentation of open-source software (OSS) within the European Union. A cornerstone of this framework is the EU Open Source Solutions Catalogue, established to serve as a single point of discovery for software developed by or for the public sector. While the Act encourages a vibrant open-source ecosystem, the legal obligations regarding federation are strictly tiered between public and private actors.

The Mandatory Public-Sector Federation

The core obligation for federation rests exclusively on public entities. Article 42 of the proposal stipulates that when a Union entity or public sector body makes software available for reuse under an open-source licence, it must do so using a catalogue or repository that is "connected to, and made accessible through, the EU OSS Catalogue." This creates a federated architecture where individual public repositories remain operational but are technically linked to the central EU OSS Catalogue to ensure unified searchability.

The mechanism for this connection is defined in Article 43(3). It states:

"The Commission shall, on the basis of objective and relevant criteria, decide on the request of any Union entity or public sector body owning or maintaining a catalogue or repository to have that catalogue or repository connected to and made accessible through the EU OSS Catalogue."

This provision establishes a formal, discretionary process. Connection is not automatic; it requires a request from the public body and a subsequent decision by the Commission based on "objective and relevant criteria." These criteria will likely ensure that connected repositories meet specific standards for metadata, security, and interoperability, preventing the central hub from being flooded with non-compliant or low-quality data.

The Role of the Interoperable Europe Portal

The technical backbone of the EU OSS Catalogue is explicitly anchored in existing EU digital infrastructure. Article 43(2) mandates that the catalogue "shall be hosted on the Interoperable Europe Portal referred to in Article 8 of Regulation (EU) 2024/903" (the Interoperable Europe Act). This portal is a public resource, accessible electronically free of charge.

By hosting the catalogue on this portal, CADA ensures that the OSS ecosystem is not siloed but integrated into the broader framework for digital public service interoperability. The Interoperable Europe Portal acts as the central hub, providing the necessary technical environment for the catalogue to function, while also offering access to training, best practices, and other interoperability solutions. This strategic placement reinforces the idea that open-source software is a critical component of the EU's digital public infrastructure.

Private Sector: Voluntary Alignment, Not Mandatory Federation

A critical distinction in the CADA proposal is the absence of a mandatory federation requirement for the private sector. The legal text in Articles 42 and 43 specifically targets "Union entities and public sector bodies." Consequently, a private company's internal software repository or public-facing catalogue is not legally required to connect to the EU OSS Catalogue.

However, the legislative intent suggests a broader vision for ecosystem integration, even if the binding obligation is limited to the public sector:

  1. Recital 83 Context: This recital acknowledges that software is often scattered across different repositories, hampering searchability. It states that the EU OSS Catalogue should serve as a centralised catalogue to access software made available for reuse. Crucially, it notes that hosting the catalogue on the Interoperable Europe Portal will ensure that solutions can be "easily linked to further relevant information and training." While the immediate mandate is for public bodies, the recital implies a policy goal of creating a cohesive ecosystem where discoverability is maximized across the board.
  2. Recital 15 and the Cloud and AI Leadership Initiatives: In the context of broader innovation measures, Recital 15 mentions the creation of a catalogue of software tools including open source "in order to enable federation with existing catalogues for the private and public sectors." This indicates a strategic ambition to bridge the gap between public and private repositories, even if the specific legal mechanism in Article 43 is currently restricted to public bodies.
  3. Market-Driven Integration: While private catalogues are not forced to federate under Article 43(3), the market dynamics created by CADA may encourage voluntary alignment. As public procurement increasingly favors open-source solutions (Article 41) and public bodies are required to publish their software in the EU OSS Catalogue, private providers may find it advantageous to ensure their offerings are discoverable within this ecosystem. This could involve voluntary integration with the Interoperable Europe Portal or adopting the metadata standards that the Commission will define for the public-sector federation.

Technical Implications of the "Objective Criteria"

For the public-sector federation to function effectively, the "objective and relevant criteria" mentioned in Article 43(3) will be pivotal. The Commission is empowered to adopt implementing acts to specify these criteria. These will likely cover:

  • Metadata Standards: Ensuring consistent tagging of software for searchability.
  • API Interfaces: Defining how the central catalogue queries and retrieves data from federated repositories.
  • Security and Licensing: Verifying that connected repositories adhere to open-source licence definitions and security best practices.

Private-sector catalogues, while not subject to these mandatory criteria, may find that aligning with them provides a competitive edge. If the Commission's criteria become the de facto standard for EU public procurement, private providers who align their catalogues with these standards may streamline their sales processes to public sector bodies.

What this means for you

  • For Public Sector CTOs and Architects: You are legally bound to prepare your software repositories for mandatory connection to the EU OSS Catalogue. Review your internal catalogues against the "objective and relevant criteria" that the Commission will define. Ensure your repositories support the necessary metadata standards and API interfaces to facilitate federation. The connection is not optional if you make software available for reuse under an open-source licence.
  • For Private Sector Providers and SMEs: You are not legally required to federate your catalogue with the EU OSS Catalogue under CADA. However, if you sell or license software to public sector bodies, consider the strategic value of alignment. The CADA promotes open-source solutions in public procurement. Ensuring your software is discoverable through standards compatible with the Interoperable Europe Portal may enhance your market access. Monitor the development of the "objective and relevant criteria" for federation, as these may become industry benchmarks for interoperability.
  • For Legal and Compliance Teams: Distinguish clearly between the mandatory obligations for public bodies (Articles 42 and 43) and the voluntary nature of private sector participation. While private federation is not mandated, the broader CADA framework encourages open-source adoption. Ensure your open-source licensing strategies align with the CADA's emphasis on transparency, security, and reuse, particularly if you engage with public sector clients.

Common misconceptions

  • Misconception: "All software catalogues in the EU, including private ones, must federate with the EU OSS Catalogue."
    • Reality: The CADA proposal only mandates connection for Union entities and public sector bodies that make software available for reuse. Private-sector catalogues are not subject to this legal obligation.
  • Misconception: "The EU OSS Catalogue is a new, standalone platform that will replace existing repositories."
    • Reality: The EU OSS Catalogue is a centralized hub that federates with existing public-sector repositories. It does not replace them but connects them, enhancing discoverability while allowing entities to maintain their own infrastructure.
  • Misconception: "Private companies can directly request to federate their catalogue with the EU OSS Catalogue under Article 43(3)."
    • Reality: Article 43(3) specifies that requests come from "Union entity or public sector body." There is no explicit legal pathway for private entities to request direct federation under this article. Private integration would likely occur through broader alignment with the Interoperable Europe Portal or voluntary adoption of compatible standards.

Related

This is general information about a draft EU regulation, not legal advice.